Hearing

Reviewing the FAFSA Data Breach

The Department of Education (the Department) refuses to recognize this as a “data breach” and has not implemented solutions to fix the vulnerabilities.

The Treasury Inspector General for Tax Administration witness testified that individuals involved in prior criminal activity against the Internal Revenue Service (IRS) were also involved in this exploitation of the Free Application for Federal Student Aid and the Data Retrieval Tool (DRT).

In September of 2016, the IRS identified vulnerabilities with its DRT and did not take immediate action to encrypt and secure sensitive data.

FISMA requires that agencies notify Congress of a “major incident” within seven days of detection. The Department and the IRS failed to meet this legal obligation and notified Congress 38 days after the incident.

PURPOSE:

To examine operational and cybersecurity decisions made by the Department and the IRS regarding the security breach of the DRT.

BACKGROUND:

In March 2017, the Department and the IRS shut down the DRT on FAFSA.gov and StudentLoans.gov when hackers gained access to taxpayers’ adjusted gross incomes, which criminals can use to file fraudulent tax returns.

IRS warned the Department about this security vulnerability as early as October 2016; they continued to discuss the problem for several months until suspicious use had risen to the level that a shutdown was required.

Initial estimates show 120,000 taxpayers’ information impacted, and the administration of financial aid processing has been disrupted.

KEY VIDEOS:

Rep. Jody Hice (R-GA): “It appears to me at the end of the day you’re either in denial of what happened or you’re incompetent or you’re just untruthful in what’s happening here . . . the abuse that’s been inflicted on American citizens by the IRS is inexcusable and its time that there’s accountability and some change that takes place at the IRS.”

frameborder="0">

Chairman Mark Meadows (R-NC): At what point are we going to get [notifying Congress of data breaches] right? Because we continue to have breaches . . .and yet what happens is we’re always coming in after the fact to look at this.

frameborder="0">

Rep. Paul Michell (R-MI): “When you’ve got something as important as personal information from the amount of students you have, the moment in time that you think your data has been breached you have . . . a moral if not legal responsibility to notify Congress. That’s a lot of information and it wasn’t done, and its not the first time it wasn’t done.”